[Samba] login as a service to win2k & domain user manager

Thu Mar 6 20:44:42 GMT 2003

On Thu, 6 Mar 2003, Jason Norred wrote:

> That is exactly what i'm trying to do. I want to create a network user
> for my antivirus software that can login as a service to apply updates
> to my win2k machines. I can physically go to each machine and adjust the
> "Local Security Policy" to allow a samba "domain user" the ability to
> login to that one specific machine as a service. BUT doing things that
> way on my entire network defeats the purpose of what i'm trying to do.
>
> Any ideas????

There are two different types off policy objects, local and global. The
local objects can only be administered on the client machine. The global
policy objects confer user rights and privilidges that follow the user
from machine to machine. To my knowledge Samba does NOT at this time
support global policy handling. This is being worked on but it is my
understanding that this is still some time off.

If I am correct, then you will either need to be patient until we can
impliment this, or else get involved to make this functionality available.
I do not mean to be offensive in putting it this way.

A lot of people have been asking how they can gain administrative
privilidge on a machine they log onto so that they can install software,
etc. Right now the only way is to configure that ability using local
policies on the machine.

I guess the same applies to granting users the right to log on as a
service (more correctly start up a service with particular user
ownership). I am looking at ta way to do this through the NTConfig.POL
file but have not yet come to a conclusion as to how to affect this.

- John T.

>
> Jason
>
>
> On Wed, 2003-03-05 at 19:20, Jim Wharton wrote:
>
> > Under NT, you could do it through User Manager for Domains. You would select
> > the user and pull down the Policy menu and select User Rights. Then after
> > checking view advanced privleges, you could add "Logon as batch Job" ...very
> > useful for Oracle and other overnight import/export jobs.
> >
> > In Windows 2000, logon as batch job is assigned from the 'Local Security
> > Policy' folder.
> > Open the Control Panel from the Start menu
> > Open 'Administrative Tools'
> > Open 'Local Security Policy'
> > Open 'Local Policies'
> > Open 'User Rights Assignment'
> > Right-click 'Log on as batch job' from the list. Click the 'Add' button;
> > select the User who is to be granted this privilege. Click Add and click OK.
> >
> > I have never tried this with Samba, but I've had to mess with this feature a
> > lot lately... Oracle requires it for import/export.
> >
> > Jim
> >
> > ----- Original Message -----
> > From: "John H Terpstra" <jht at samba.org>
> > To: "Jason Norred" <jnorred at staffprofessionals.com>
> > Cc: <samba at lists.samba.org>
> > Sent: Wednesday, March 05, 2003 7:58 PM
> > Subject: Re: [Samba] login as a service to win2k & domain user manager
> >
> >
> > > On Wed, 5 Mar 2003, Jason Norred wrote:
> > >
> > > > Hello Samba Administrators,
> > > >
> > > > I'm currently running a Samba PDC ver 2.2.7. I have a couple of issues
> > > > that I'm trying to find some resolution on.
> > > >
> > > > First, I need to be able to have a domain user be able to login to my
> > > > Win2k clients as a service. I can do this by going to each client and
> > > > configuring the Local Security Policy on EACH and EVERY client machine.
> > > > This is obviously not a good solution. On a Win2k server I could use the
> > > > User Manager for Domains tool, but that tool does not work yet in full
> > > > with samba.
> > >
> > > Please help us to understand precisely what you are trying to achieve
> > > here. More importantly, please give us a step by step explanation of how
> > > you currently do this in a pure Microsoft world.
> > >
> > > > Secondly, how can I add a Domain User to the Local Win2k client
> > > > computer's Power Users Group??? Again, I see how to do that at each
> > > > machine locally. Is there a way to implement this network-wide?
> > >
> > > How do you do this now? Your answer here might help use to find a solution
> > > for you.
> > >
> > > - John T.
> > > --
> > > John H Terpstra
> > > Email: jht at samba.org
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  http://lists.samba.org/mailman/listinfo/samba
>

-- 
John H Terpstra
Email: jht at samba.org